enlightn VS PHPStan

Enlightn scans your code to check whether it follows best practices in performance, security, and reliability. It's a paid tool, but it also has free checks you can use. At the time of writing, it has 64 checks in the free version and 128 checks in the paid version. For the purposes of this article, we'll only be using the free version.

There are other tools out there, such as Enlightn and Dependabot, that help you to detect dependencies in your project with security vulnerabilities. But I'd like to think of these types of tools more as being "reactive". By that, I mean that they can alert you of vulnerable dependencies after you've installed them in your project. This can result in you introducing potential security holes into your applications without being aware at first. This is by no means a discredit to any of these types of tools though. Vulnerabilities are always being discovered in frameworks, packages, and libraries. So being able to detect them is a great way to stay on top of your project's security.

In this article, we're going to briefly look at different things to look out for when auditing your app's security, or adding new validation. We'll also look at how you can use "Enlightn" to detect potential mass assignment vulnerabilities.

Checkout laravel enlghtn, scans all dependencies, we have it wired for all prs and nightly on all code bases. https://www.laravel-enlightn.com/

you can also check https://www.laravel-enlightn.com

Uhh did you check the link? It's another product. The security checker is an independent package. The Enlightn Github repo is here and the security checker is here. Lol you were so busy criticizing about emojis, you don't even know what I was talking about.

As part of the journey to PHP perfection, you should embrace Rector. It's a amazing, free, and open-source tool for migrations, code quality, type coverage, pushing PHPStan to the highest levels, and yes, it can even auto-fix your existing code! It seamlessly integrates into the CI process, making your development workflow smoother than ever.

PHPStan focuses on finding errors in PHP code without running it. It captures all types of errors, even before you write tests. It brings PHP closer to compiled languages by checking the correctness of each line of code before execution.

PHPStan is a static analysis tool for PHP. Larastan is a package built on top of PHPStan to make it easier to integrate with Laravel projects. PHPStan works by "sniffing" the code using the various rulesets applied to it and determine if it follows the standards. However, Larastan doesn't fully follow the definition of "static analysis" since it has to boot the application's container and resolve the types that can only be computed at runtime. This is why Larastan is called a "code analysis" tool rather than a "static analysis" tool.

PHPStan: PHP Static Analysis Tool - discover bugs in your code without running it! Plugins: ergebnis/phpstan-rules: Provides additional rules for phpstan/phpstan. spaze/phpstan-disallowed-calls: PHPStan rules to detect disallowed calls and constant & namespace usages roave/no-floaters: static analysis rules to prevent IEEE-754 floating point errors. dave-liddament/php-language-extensions: Attributes to define PHP language extensions (to be enforced by static analysis) sidz/phpstan-rules: Additional rules for phpstan/phpstan. staabm/phpstan-baseline-analysis: Analyzes PHPStan baseline files and creates aggregated error trend-reports More extensions

So, in this article we have written a fairly simple but functional rule for PHPStan. We have discussed the basics of PHPStan and now we can cover our project with more complex tests. I also recommend reading the developer documentation. It won't take you long to learn more rule development features.

You could try something like PHP Stan. It scans your code for defects and lists them all for you. It probably won't catch everything, but it'll certainly help, and it's free

PHPStan is a powerful static analysis tool that performs comprehensive type checking and detects potential errors in PHP code. It analyzes the codebase and provides detailed reports, highlighting type mismatches, undefined variables, and other issues. Documentation: The official repository of PHPStan contains detailed information on installation, configuration, and usage: PHPStan Repository

Redis for cache

PHP isn’t dead. It definitely has some weirdness introduced in older versions that cannot be removed due to backward compatibility promises. However, recent versions of PHP have improved performance and developer experience significantly. Also, we use strict types and PHPStan [https://phpstan.org] (max level) to ensure type safety. And, we try to have 95%+ coverage using Pest PHP [https://pestphp.com]. With those tools, writing PHP is fun. Laravel saves a lot of time by abstracting away many HTTP, queue, and CLI-related tasks. MYSQL is the single source of truth. We sync data to Meilisearch for search. Laravel Scout makes syncing effortless. Redis is used for caching and queues.

More details on the open-source software we use are available here: [https://blogs.hyvor.com/docs/oss]

Theme Development:

In Hyvor Blogs, all themes are fully customizable. We wanted to make the theme development process as friendly as possible for developers. Being a hosted software, this is quite hard. Developers aren’t fond of (including me) editing a file on the browser to make something work. Providing an online web editor to create themes wasn’t an option. So, we created a simple CLI tool [https://github.com/hyvor/hyvor-blogs-cli] that developers can install locally via NPM. This CLI tool listens for file changes and syncs all theme files to a development blog in our production system. So, developers can make changes in their local editor and see changes with almost no delay. This has worked pretty well so far!

Theme Structure:

We wanted to keep the theme structure simple. No Javascript frameworks - just plain old-school HTML because it works the best with search engines, minimizes the data transfer required between the server and the browser, and even provides a better experience for end users.

We obviously needed a templating language to render HTML from data. There were many options like Handlebars, Liquid, and Twig. All do the job. We went with Twig because its original package is written in PHP and managed by the Symfony team so we could trust it and easily integrate it into our system.

Another thing we cared about a lot is creating standardized theme guidelines. For example, if you take WordPress themes, most themes have their own structure and are very different from each other. This adds a learning curve to each theme. To prevent that, we created standardized theme guidelines for all published themes to follow. We also standardized how common things in blogs like color theme switching, searching, language switching, etc. work. This helps users switch between and customize their themes effortlessly.

Then, there is one important thing we realized. “The structure of a blog is very simple”. First, you might think you need several stylesheets, jQuery, bootstrap, etc. NO! Just one stylesheet and barely some vanilla javascript for interactive elements like search. Realizing this helped us further improve theme performance. In our themes, the developer writes several SCSS files inside the /styles directory. This makes it easier for them to manage styles in chunks. Then, we convert all SCSS files into a single styles.css when loading it in the blog. That way, only 1 HTTP request is needed for styles - it’s super fast!

You can see more about theme development here: [https://blogs.hyvor.com/docs/themes-overview]

All official themes are free and open-source. [https://github.com/hyvor/hyvor-blogs-themes]

We have ported multiple open-source themes, and now working on a couple of original themes as well.

Caching:

We incrementally cache content using “first-request caching”. If you visit a post in the blog, the response is dynamically created and cached. Subsequent responses are served from the cache until the blogger updates the post.

This is highly efficient and scalable. Also, there is no building step involved as in Netlify or similar static hosting platforms. You can immediately see changes but also benefit from caching.

The cache is saved on a Redis server in our data centers, but we may try CDN edge caching in the future.

Multi-language support:

Multi-language support is probably the most unique selling point of Hyvor Blogs. The first version of Hyvor Blogs did not have a multi-language feature. Adding that feature took a lot of careful thought and effort, but it was totally worth it. I can safely say there’s no other hosted blogging platform that makes managing multiple languages as easy as Hyvor Blogs does.

First, we had to figure out what data was translatable. For example, post content, description, etc. Then instead of saving that data in the `posts` table, we created a new `post_variants` table to save them linked to a specific `language_id`. The blogger can create multiple languages and each entity (`post` , `tag` , `user`) can have variants for each language.

Additionally, we integrated DeepL [https://deep.com] to let bloggers automatically translate posts into many languages.

Data API filtering:

Our Data API [https://blogs.hyvor.com/docs/api-data] returns public data of the blog. This is also internally used in themes to fetch additional data. If you think about filtering data (ex: posts), one may want to filter `published_at < {time}` while another wants `published_at > {time}`. If we went with the normal API approach, we’d need many query parameters like `published_at_greater_than`, `published_at_less_than`, etc. That’s ineffective. So, we wrote a little query language called FilterQ to take a single `filter` input parameter and safely convert it to the `WHERE` part of the SQL query. With it, you can call the API with `filter=published_at>{time}` param. And, it’s even possible to use `and` / `or` and grouping for complex filtering.

Library (implemented in Laravel): https://github.com/hyvor/laravel-filterq

Sub-directory hosting:

We designed a new way to host a blog in a subdirectory of a web application. Let’s say you have a Laravel application at example.com. We created Delivery API [https://blogs.hyvor.com/docs/api-delivery] to help you host your blog at example.com/blog.

This API tells you how to deliver a response for a request (hence “Delivery” API). For example, when your Laravel app receives a request to /blog/hello-world, your app calls the Delivery API to learn how to respond to “/hello-world”. The Delivery API returns a JSON with all the data needed. Your app will then use that JSON response to create an HTTP response and send back the response to the client. It will also save the response in the cache so that it doesn’t have to call the Delivery API next time for the same path.

This is quite similar to a reverse proxy with caching, but the JSON API makes it easier to use it in web applications as we do not need HTTP parsing logic.

This is also similar to how our “first-request” caching works, but this time this caching happens inside your web application. To clear the cache, we use webhooks.

For now, we have developed libraries for Laravel and Symfony for sub-directory hosting, with plans to cover more frameworks in the future.

Rich Editor

This was probably the hardest part of all. We spent months testing many frameworks like Draft.js, Prosemirror, and even pre-built rich editors like TinyMCE. We wanted customizability and also ease-of-use. No framework checked all boxes.

We decided to go with ProseMirror [https://prosemirror.net]. It was complex but eventually, we came to understand the power of it. It has a steep learning curve, but it’s totally worth it. We actually enjoy writing Prosemirror plugins now to add some functionality to the Rich Editor. Also, recently the author added typescript support, which incredibly improved the experience. We created many nodes like Blockquotes, Callouts (with emoji), Images with captions, Embeds, and Bookmarks pretty easily after that. ProseMirror has quite good browser support as well.

Flashload

I’ve been a fan of InstantClick [http://instantclick.io/]. We wanted to add something similar to all blogs to add a “fake-fast” effect. If you haven’t used InstantClick before, it is a simple library that turns separate HTML pages into a single-page app. It starts loading content on the mouseoever event of a link and replaces the when clicked on it. This makes navigation super fast. We created an almost copy of Instantclick named Flashload [https://github.com/hyvor/flashload] with additional configurations and optimized caching. Feel free to use it in your projects :)

Overall, it’s been a great learning experience working on Hyvor Blogs. We’d love to know what HN thinks about our project. I am happy to answer any questions you might have.

The process "git clone --no-checkout '/var/www/.composer/cache/vcs/https---github.com-phpstan-phpstan.git/' '/app/vendor/phpstan/phpstan' --dissociate --reference '/var/www/.composer/cache/vcs/https---github.com-phpstan-phpstan.git/' && cd '/app/vendor/phpstan/phpstan' && git remote set-url origin -- 'https://github.com/phpstan/phpstan.git' && git remote add composer -- 'https://github.com/phpstan/phpstan.git'" exceeded the timeout of 300 seconds.